User Role
Quick Definition
A user role is a predefined set of permissions that controls what a person can do on a WordPress site. WordPress includes five default roles: Administrator, Editor, Author, Contributor, and Subscriber.
What Is a User Role?
A user role in WordPress is a set of permissions that determines what a user can and cannot do on your site. Every WordPress user is assigned exactly one role, and that role controls their access to everything — from writing posts to managing plugins to changing site settings.
WordPress comes with five default roles (plus a sixth for Multisite):
- Administrator — Full control over the entire site. Can install plugins, change themes, manage users, edit settings, and access every feature. On a single-site installation, this is the most powerful role.
- Editor — Can create, edit, publish, and delete any post or page on the site, including content by other users. Can moderate comments and manage categories and tags. Cannot access plugins, themes, or site settings.
- Author — Can write, edit, publish, and delete their own posts. Can upload images and files. Cannot edit other people's content or manage pages.
- Contributor — Can write and edit their own posts but cannot publish them. A submitted post must be reviewed and published by an Editor or Administrator. Cannot upload files.
- Subscriber — Can only read content and manage their own profile. No publishing or editing access at all. This is the default role assigned to new user registrations.
Each role inherits the capabilities of the roles below it. An Editor can do everything an Author can do, an Author can do everything a Contributor can do, and so on. The sixth role — Super Admin — exists only on Multisite networks and has full control over every site in the network.
You assign roles when creating a user account or change them later from Users > All Users in the dashboard. The default role for new registrations is set in Settings > General.
User Roles in Practice
Choosing the right role for each user is a basic but important security practice. A freelance writer should be an Author or Contributor, not an Administrator. A content manager who reviews and publishes other people's work should be an Editor. Only site owners and developers need Administrator access.
If the built-in roles do not fit your needs, you can create custom roles with specific capabilities using plugins like User Role Editor or Members. For example, a WooCommerce store might create a "Shop Manager" role that can manage orders and products but cannot install plugins or change the theme.
Developers create custom roles programmatically using add_role() and assign specific capabilities with add_cap() — both covered in our Capability glossary entry.
Why It Matters
User roles are your first line of defense against accidental or malicious damage. Giving everyone Administrator access is one of the most common security mistakes on WordPress sites. By assigning the minimum role each person needs — the principle of least privilege — you protect your content, settings, and site integrity.